b'   Pen\n     nsion Benefit\n           B       Guaran\n                        nty Corrporatio\n                                      on\n           Office\n                e of Ins\n                       specto\n                            or Gen\n                                 neral\n                      Evalua\n                           ation Re\n                                  eport\n\n\n\n\n   Fisccal Yearr 2009 Vulnerab\n                      V      bility Ass\n                                      sessmen nt,\nPenetra\n      ation Tessting, an\n                       nd Socia\n                              al Enginneering Report\n                                              R\n\n\n\n\n              RESTRICTE\n                      ED DISC\n                            CLOSU\n                                URE\n This document conta  ains privileg\n                                  ged and conffidential info\n                                                           ormation, an\n                                                                      nd was\n producedd at the dire\n                     ection of the Pension Benefit\n                                              B         Guarranty Corpo\n                                                                      oration,\n Office off Inspector General. Itt may not be b disclosed, reproduc   ced, or\n disseminated withoutt the express s permission\n                                              n of the Inspe\n                                                           ector Genera\n                                                                      al.\n\n\n\n\n                            Marrch 2, 20\n                                       010\n                                                           EVAL-2010--6 / FA-09-64-6\n\x0c\x0c~Clifto\n~ Gund~rson LLP\n           Cl\' rt ified Publ ic AceDun l,,"t, & Con, u ll,m"\n\n\n\n\nMs. Rebecca Anne Batts\nInspector General\nPension Benefit Guaranty Corporation\n1200 K Street, NW.\nW ashington, DC 20005-4026\n\nDear Ms. Batts:\n\nWe are pleased to provide the Fiscal Year (FY) 2009 Vulnerability Assess ment, Penetr ation\nTesting , and Social Engineering Report, detailing the results of our review of the Pension\nBenefit Guaranty Corporation (PBGe) information security infrastructure. The scope of our\nengage ment included conducting vulnerability assessments and penetrat ion testing on PBGe\nsystems. Our assessment was performe d from July 16, 2009 throu gh August 28 ,2009.\n\nIn accordance with the Rules of Engagement negotiated with the PBGe Office of Inspector\nGeneral (D IG), we conducted social engineering, and external and internal vulnerability\nassessments to discover possible weaknesses in PBGC\'s logical security controls and to exploit\ndiscovered vulnerabilities. The goal of our assessment was to determine the degree of control\nPBGC could expect an attacker to achieve after a successful penetration. During our\nassessment, we discovered live hosts residing on external and internal PBGC networks and\nconducted overt and covert vulnerability assessments on IP addresses in use. We obtained\napproval prior to exploitation of discovered vulnerabilities to attempt to gain access to sensitive\ndata .\n\nWe found major issues of concern and suggested that management:\n\n     \xe2\x80\xa2     Ensure that PBGC systems have the most current patches and updates for all systems,\n           and\n     \xe2\x80\xa2     Implement standardized procedures, including best practices to strengthen or harden the\n           configuration of PBGC\'s operating systems and applications.\n\nTo avoid duplication, specific recommendations are not included in this report. Instead, specific\nrecommendations resulting from our penetration testing and vulnerability assessment are\nreported in the Report on Internal Controls Related to the Pension Benefit Guaranty\nCorporation \'s Fiscal Year 2009 and 2008 Financial Statements Audit (AUD-20 10-21FA-09-64-2)\nor the planned Fiscal Year 2009 FISMA Independent Evaluation Report, scheduled to be\nissued in March 2010.\n\n\n\n\n/1710 BeltJd lle D riu\nSuite JOO\nCatterton. "Uar)\'land 20705\ntel: 30 1-93 1-2050                                                                                        .... _... "\'\nfax: 301 -931-1710                                                             1\n                                                               Offices in 17 states and \\"Casrungton, DC   I!IIln,,,matioom\'l\nwww.cliftoncpa.com\n\x0cAt the conclusion of our testing, we separately provided detailed information to PBGC\nmanagement through the OIG on the results of our penetration testing. In addition, a limited use\nPowerPoint presentation summarizing the results of our assessment was provided to\nmanagement. A copy of that presentation is attached.\n\n\n\n\nCalverton, Maryland\nNovember 12, 2009\n\n\nAttachment\n\n\n\n\n                                               2\n\x0c                                                    Attachment\n\n\n\n\nThe presentation summarizing PBGC\xe2\x80\x99s vulnerability\n assessment contains confidential and proprietary\n       information and has been redacted.\n\n                        .\n\x0cIf you want to report or discuss confidentially any instance\n of misconduct, fraud, waste, abuse, or mismanagement,\n      please contact the Office of Inspector General.\n\n\n\n                       Telephone:\n            The Inspector General\xe2\x80\x99s HOTLINE\n                    1-800-303-9737\n\n  The deaf or hard of hearing, dial FRS (800) 877-8339\n   and give the Hotline number to the relay operator.\n\n\n\n                           Web:\n       http://oig.pbgc.gov/investigation/details.html\n\n\n\n                         Or Write:\n          Pension Benefit Guaranty Corporation\n               Office of Inspector General\n                     PO Box 34177\n             Washington, DC 20043-4177\n\x0c'